feat: secure account update endpoint

[arpitgupta1214]

Summary

• add authenticated request validation for PATCH /api/accounts
• allow object-shaped knowledges payloads to match chat's update flow
• add focused validation coverage for auth, account override resolution, and knowledges payload shape

Verification

• pnpm test lib/accounts/tests/validateUpdateAccountRequest.test.ts

---

Summary by cubic

Secure PATCH /api/accounts with auth-validated request handling, account access enforcement, and stricter payload rules. accountId is now optional (derived from auth), knowledges use object-array schema, and empty updates are rejected.

• New Features

  • Enforce auth with account override; returns 401 on failure.
  • Derive accountId from auth when missing; provided values may be overridden.
  • Stricter body validation: object knowledges { name, url, type }; reject empty updates with 400.

• Migration

  • Clients can omit accountId (derived from auth) and must include at least one updatable field.
  • Send knowledges as objects instead of strings.

^{Written for commit 4a6dfc0. Summary will update on new commits.}

Summary by CodeRabbit

• Refactor
  • Validation for account updates moved to the request level and now integrates authentication context to ensure updates apply to the correct account.
• Bug Fixes
  • Improved input validation for profile fields (including image URLs and knowledge entries) with clearer 400 error responses that identify missing/invalid fields.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
recoup-api	Ready	Preview	Apr 7, 2026 1:54am

[coderabbitai]

Warning

Rate limit exceeded

@sweetmantech has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 19 minutes and 1 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 19 minutes and 1 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 52f13077-a19f-4603-af63-5e4dd746660a

📥 Commits

Reviewing files that changed from the base of the PR and between 9f28804 and 4a6dfc0.

⛔ Files ignored due to path filters (1)

• lib/accounts/__tests__/validateUpdateAccountRequest.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (1)

• lib/accounts/validateUpdateAccountRequest.ts

📝 Walkthrough

Walkthrough

Refactors PATCH /api/accounts to replace body-only validation with request-level validation that parses JSON, validates the body schema, enforces auth context via validateAuthContext, and passes a ValidatedUpdateAccountRequest into updateAccountHandler.

Changes

Cohort / File(s)	Summary
Route handler app/api/accounts/route.ts	PATCH now calls validateUpdateAccountRequest(req) and forwards the validated result to updateAccountHandler; removed direct safeParseJson + validateUpdateAccountBody usage.
Handler signature lib/accounts/updateAccountHandler.ts	Function signature updated to accept ValidatedUpdateAccountRequest (import from validateUpdateAccountRequest) instead of the old UpdateAccountBody type; runtime logic unchanged.
Validation modules lib/accounts/validateUpdateAccountBody.ts (deleted), lib/accounts/validateUpdateAccountRequest.ts (added)	Deleted body-only validator and its types; added request-level validator that parses JSON, validates updateAccountBodySchema (including accountId, profile fields, knowledges, image), integrates validateAuthContext, returns NextResponse on errors or a ValidatedUpdateAccountRequest with accountId normalized from auth context.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as "PATCH /api/accounts"
    participant ReqValidator as validateUpdateAccountRequest
    participant AuthValidator as validateAuthContext
    participant Handler as updateAccountHandler
    participant Response as NextResponse

    Client->>Route: PATCH request
    Route->>ReqValidator: validateUpdateAccountRequest(req)
    ReqValidator->>ReqValidator: safeParseJson + schema validation
    alt schema invalid
        ReqValidator->>Response: 400 error + CORS headers
        Response-->>Client: Error response
    else schema valid
        ReqValidator->>AuthValidator: validateAuthContext(req, accountId)
        alt auth invalid
            AuthValidator-->>ReqValidator: NextResponse (error)
            ReqValidator->>Response: Auth error response
            Response-->>Client: Error response
        else auth valid
            AuthValidator-->>ReqValidator: Auth context (normalized accountId)
            ReqValidator->>Handler: Pass ValidatedUpdateAccountRequest
            Handler->>Response: Process update & return response
            Response-->>Client: Success response
        end
    end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• feat: Bearer token accountId override for /api/chat #405: Migrates endpoint auth/override logic to use the shared validateAuthContext helper, similar pattern applied here.

Poem

Validation reads the incoming song,
Auth replies to right the wrong,
Request becomes a trusted guest,
Handler takes it, does its best,
Safe updates hum — the account rests.

🚥 Pre-merge checks | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Solid & Clean Code	⚠️ Warning	PR violates DRY/KISS by manually listing all 8 fields instead of using object spread/destructuring, creating unnecessary duplication and inconsistency with established patterns.	Refactor to use destructuring and object spread (const { accountId, ...bodyFields } = result.data;) consistent with validateSandboxBody.ts pattern.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/migrate-account-update-api

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

lib/accounts/validateUpdateAccountRequest.ts (1)

30-32: Validation module naming should follow the body/query convention.

Please keep Zod schema/type exports in a validate<EndpointName>Body.ts (or Query.ts) file, and keep request-level orchestration/auth composition separate if needed.

Based on learnings: "Applies to lib/**/validate*.ts : Create validate functions in validate<EndpointName>Body.ts or validate<EndpointName>Query.ts files that export both the schema and inferred TypeScript type."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/accounts/validateUpdateAccountRequest.ts` around lines 30 - 32, The
current validateUpdateAccountRequest function mixes request-level orchestration
with the Zod schema/type exports; extract the Zod schema and inferred TypeScript
type into a new module named validateUpdateAccountRequestBody.ts (export both
the schema and the inferred type, e.g., UpdateAccountRequestSchema and
UpdateAccountRequest), then update validateUpdateAccountRequest to import that
schema/type and keep only the request-level logic
(auth/composition/NextRequest→NextResponse handling) in this file; ensure
validateUpdateAccountRequest references the imported UpdateAccountRequest type
and schema names when parsing/validating.

lib/accounts/updateAccountHandler.ts (1)

16-80: updateAccountHandler is carrying too many responsibilities in one function.

It currently mixes existence checks, account update, account_info upsert, post-fetch, and error-to-response mapping. Please split into focused helpers to reduce branching and keep this handler within size limits.

As per coding guidelines: "Apply Single Responsibility Principle (SRP): one exported function per file; each file should do one thing well", "Keep functions under 50 lines", and "Flag functions longer than 20 lines."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/accounts/updateAccountHandler.ts` around lines 16 - 80, The handler
updateAccountHandler is doing too much; split it into small helpers: add
verifyAccountExists(accountId) that calls getAccountWithDetails and
returns/throws if missing, applyNameUpdate(accountId, name) that calls
updateAccount only when name !== undefined, and upsertAccountInfo(accountId,
info) that uses selectAccountInfo, insertAccountInfo, and updateAccountInfo to
perform the create-or-update logic for organization, image, instruction,
jobTitle, roleType, companyName, and knowledges; keep the handler to
orchestration only (call verifyAccountExists, applyNameUpdate,
upsertAccountInfo, then fetch updated via getAccountWithDetails) and centralize
response/error mapping to use getCorsHeaders and the existing error message
logic. Ensure each new helper is small (<20–50 lines) and exported/placed in
this file so the exported function per file rule holds.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@lib/accounts/validateUpdateAccountRequest.ts`:
- Around line 13-15: The schema currently requires accountId; change
updateAccountRequestSchema so accountId is optional (e.g.,
z.string().uuid().optional()) so the PATCH body no longer mandates it, and
ensure route handlers derive the account ID from authentication using
validateAuthContext() and only accept an accountId override when explicit
authorization logic permits it; update any code paths that consumed a required
accountId to use the auth-derived value (or the optional override) instead.

---

Nitpick comments:
In `@lib/accounts/updateAccountHandler.ts`:
- Around line 16-80: The handler updateAccountHandler is doing too much; split
it into small helpers: add verifyAccountExists(accountId) that calls
getAccountWithDetails and returns/throws if missing, applyNameUpdate(accountId,
name) that calls updateAccount only when name !== undefined, and
upsertAccountInfo(accountId, info) that uses selectAccountInfo,
insertAccountInfo, and updateAccountInfo to perform the create-or-update logic
for organization, image, instruction, jobTitle, roleType, companyName, and
knowledges; keep the handler to orchestration only (call verifyAccountExists,
applyNameUpdate, upsertAccountInfo, then fetch updated via
getAccountWithDetails) and centralize response/error mapping to use
getCorsHeaders and the existing error message logic. Ensure each new helper is
small (<20–50 lines) and exported/placed in this file so the exported function
per file rule holds.

In `@lib/accounts/validateUpdateAccountRequest.ts`:
- Around line 30-32: The current validateUpdateAccountRequest function mixes
request-level orchestration with the Zod schema/type exports; extract the Zod
schema and inferred TypeScript type into a new module named
validateUpdateAccountRequestBody.ts (export both the schema and the inferred
type, e.g., UpdateAccountRequestSchema and UpdateAccountRequest), then update
validateUpdateAccountRequest to import that schema/type and keep only the
request-level logic (auth/composition/NextRequest→NextResponse handling) in this
file; ensure validateUpdateAccountRequest references the imported
UpdateAccountRequest type and schema names when parsing/validating.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2ec649f1-776b-420f-b086-24b0c8d7af76

📥 Commits

Reviewing files that changed from the base of the PR and between d01ff28 and 04b0dcb.

⛔ Files ignored due to path filters (1)

• lib/accounts/__tests__/validateUpdateAccountRequest.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (4)

• app/api/accounts/route.ts
• lib/accounts/updateAccountHandler.ts
• lib/accounts/validateUpdateAccountBody.ts
• lib/accounts/validateUpdateAccountRequest.ts

💤 Files with no reviewable changes (1)

• lib/accounts/validateUpdateAccountBody.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid making accountId mandatory in the PATCH body.

This should be derived from authentication by default; keep override optional only when explicitly authorized. Requiring it in every request weakens the endpoint contract and increases misuse risk.

As per coding guidelines: "Never use account_id in request bodies or tool schemas; always derive the account ID from authentication" and "Always use validateAuthContext() for authentication in API routes."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/accounts/validateUpdateAccountRequest.ts` around lines 13 - 15, The
schema currently requires accountId; change updateAccountRequestSchema so
accountId is optional (e.g., z.string().uuid().optional()) so the PATCH body no
longer mandates it, and ensure route handlers derive the account ID from
authentication using validateAuthContext() and only accept an accountId override
when explicit authorization logic permits it; update any code paths that
consumed a required accountId to use the auth-derived value (or the optional
override) instead.

[cubic-dev-ai]

1 issue found across 5 files

Confidence score: 4/5

• This PR is likely safe to merge, but there is a moderate validation gap in lib/accounts/validateUpdateAccountRequest.ts where a request containing only accountId is treated as a valid update.
• The impact appears limited to request correctness (accepting no-op updates) rather than a clear crash or data-loss path, which keeps overall merge risk on the lower side.
• Pay close attention to lib/accounts/validateUpdateAccountRequest.ts - enforce that at least one updatable field (in addition to accountId) is required.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/accounts/validateUpdateAccountRequest.ts">

<violation number="1" location="lib/accounts/validateUpdateAccountRequest.ts:13">
P2: Require at least one updatable field besides `accountId`; currently a body with only `accountId` is accepted as a valid update.</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client
    participant API as API Route (PATCH)
    participant VAL as validateUpdateAccountRequest
    participant Auth as validateAuthContext
    participant DB as Supabase Services

    Client->>API: PATCH /api/accounts (JSON Body)
    API->>VAL: NEW: validateUpdateAccountRequest(req)
    
    VAL->>VAL: Parse JSON body
    VAL->>VAL: CHANGED: Validate schema (Zod)
    Note right of VAL: NEW: Validates "knowledges" as {name, url, type}[]

    alt Invalid Schema
        VAL-->>API: 400 Bad Request
        API-->>Client: 400 Error Response
    else Valid Schema
        VAL->>Auth: NEW: Check auth and account permission
        
        alt Auth Failure / No Permission
            Auth-->>VAL: 401 Unauthorized (NextResponse)
            VAL-->>API: 401 Unauthorized
            API-->>Client: 401 Error Response
        else Auth Success
            Auth-->>VAL: AuthContext (accountId, orgId, token)
            VAL->>VAL: NEW: Resolve accountId (body override check)
            VAL-->>API: Validated UpdateAccountRequest
        end
    end

    opt Request Validated & Authorized
        API->>DB: updateAccountHandler(validatedPayload)
        Note over DB: updateAccount, updateAccountInfo, etc.
        DB-->>API: Updated data
        API-->>Client: 200 OK (Account Data)
    end

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[arpitgupta1214]

Tested the API preview directly: https://recoup-api-git-codex-migrate-account-acb222-recoupable-ad724970.vercel.app

Verified with an authenticated bearer session that PATCH /api/accounts accepts and persists these fields: name, instruction, organization, image, jobTitle, roleType, companyName, and knowledges.

What I checked:

• OPTIONS /api/accounts returned 204 with expected CORS headers
• GET /api/accounts/:id returned 200
• PATCH /api/accounts returned 200 and persisted the update
• I then reverted the temporary test values and confirmed the rollback with another GET /api/accounts/:id

So the API preview is working end to end for authenticated account updates.

[cubic-dev-ai]

0 issues found across 1 file (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Auto-approval blocked by 1 unresolved issue from previous reviews.}

[sweetmantech]

why is accountId required instead of optional?

[coderabbitai]

♻️ Duplicate comments (1)

lib/accounts/validateUpdateAccountRequest.ts (1)

13-15: ⚠️ Potential issue | 🟠 Major

Make accountId optional in the PATCH body and auth-derived by default.

Line 14 currently makes accountId mandatory, which weakens the auth-first contract and forces redundant client input. Keep override optional and let auth context remain default source of truth (also update the PATCH JSDoc in app/api/accounts/route.ts accordingly).

Suggested change

 export const updateAccountBodySchema = z.object({
-  accountId: z.string().uuid("accountId must be a valid UUID"),
+  accountId: z.string().uuid("accountId must be a valid UUID").optional(),
   name: z.string().optional(),
   instruction: z.string().optional(),
   organization: z.string().optional(),
   image: z.string().url("image must be a valid URL").optional().or(z.literal("")),
   jobTitle: z.string().optional(),
   roleType: z.string().optional(),
   companyName: z.string().optional(),
   knowledges: z.array(knowledgeSchema).optional(),
 });

As per coding guidelines: "Never use account_id in request bodies or tool schemas; always derive the account ID from authentication".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/accounts/validateUpdateAccountRequest.ts` around lines 13 - 15, The
updateAccountBodySchema currently requires accountId, but per guidelines it
should be optional and derived from auth context by default. Change accountId in
updateAccountBodySchema to optional by using z.string().uuid().optional(), so
clients do not need to provide it redundantly. Also ensure to update the related
PATCH JSDoc in app/api/accounts/route.ts to reflect that accountId is optional
and derived from authentication.

🧹 Nitpick comments (2)

lib/accounts/validateUpdateAccountRequest.ts (2)

1-1: Align validator filename with the validate<EndpointName>Body.ts convention.

This file is named validateUpdateAccountRequest.ts; per validation-file convention, body schema validation should live in validateUpdateAccountBody.ts (with schema + inferred type exported there).

As per coding guidelines: "Create validate functions in validate<EndpointName>Body.ts or validate<EndpointName>Query.ts files that export both the schema and inferred TypeScript type".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/accounts/validateUpdateAccountRequest.ts` at line 1, The validator file
should follow the validate<EndpointName>Body.ts convention: rename
validateUpdateAccountRequest.ts to validateUpdateAccountBody.ts, move or create
an exported schema (e.g., updateAccountSchema) and an exported inferred
TypeScript type (e.g., UpdateAccountBody) from that file, and update any imports
that reference validateUpdateAccountRequest to import the schema and type from
validateUpdateAccountBody.ts; if a validateUpdateAccountRequest function exists,
keep or refactor it to use the exported updateAccountSchema/UpdateAccountBody
from validateUpdateAccountBody.ts so schema and type are exported per the
guidelines.

---

35-75: Split validateUpdateAccountRequest into smaller helpers.

Line 35 through Line 75 mixes JSON parsing, schema error formatting, auth validation, and response shaping in one function (~41 lines). Extracting these into helpers will better match the small-focused-function guideline.

As per coding guidelines: "Flag functions longer than 20 lines" and "Keep functions small and focused".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@lib/accounts/validateUpdateAccountRequest.ts` around lines 35 - 75, The
validateUpdateAccountRequest function is doing parsing, schema-error formatting,
auth validation and response shaping; split it into small helpers: create
parseRequestBody(request) that wraps safeParseJson and returns the parsed body,
create handleSchemaError(result) that formats and returns the NextResponse using
updateAccountBodySchema error info and getCorsHeaders, create
ensureAuthContext(request, accountId) that calls validateAuthContext and returns
or forwards the NextResponse, and create buildValidatedResponse(authContext,
resultData) that maps result.data fields into the ValidatedUpdateAccountRequest
shape; then refactor validateUpdateAccountRequest to call these helpers in
sequence (parseRequestBody -> schema check -> ensureAuthContext ->
buildValidatedResponse) using the existing symbols validateUpdateAccountRequest,
safeParseJson, updateAccountBodySchema, validateAuthContext, and getCorsHeaders.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@lib/accounts/validateUpdateAccountRequest.ts`:
- Around line 13-15: The updateAccountBodySchema currently requires accountId,
but per guidelines it should be optional and derived from auth context by
default. Change accountId in updateAccountBodySchema to optional by using
z.string().uuid().optional(), so clients do not need to provide it redundantly.
Also ensure to update the related PATCH JSDoc in app/api/accounts/route.ts to
reflect that accountId is optional and derived from authentication.

---

Nitpick comments:
In `@lib/accounts/validateUpdateAccountRequest.ts`:
- Line 1: The validator file should follow the validate<EndpointName>Body.ts
convention: rename validateUpdateAccountRequest.ts to
validateUpdateAccountBody.ts, move or create an exported schema (e.g.,
updateAccountSchema) and an exported inferred TypeScript type (e.g.,
UpdateAccountBody) from that file, and update any imports that reference
validateUpdateAccountRequest to import the schema and type from
validateUpdateAccountBody.ts; if a validateUpdateAccountRequest function exists,
keep or refactor it to use the exported updateAccountSchema/UpdateAccountBody
from validateUpdateAccountBody.ts so schema and type are exported per the
guidelines.
- Around line 35-75: The validateUpdateAccountRequest function is doing parsing,
schema-error formatting, auth validation and response shaping; split it into
small helpers: create parseRequestBody(request) that wraps safeParseJson and
returns the parsed body, create handleSchemaError(result) that formats and
returns the NextResponse using updateAccountBodySchema error info and
getCorsHeaders, create ensureAuthContext(request, accountId) that calls
validateAuthContext and returns or forwards the NextResponse, and create
buildValidatedResponse(authContext, resultData) that maps result.data fields
into the ValidatedUpdateAccountRequest shape; then refactor
validateUpdateAccountRequest to call these helpers in sequence (parseRequestBody
-> schema check -> ensureAuthContext -> buildValidatedResponse) using the
existing symbols validateUpdateAccountRequest, safeParseJson,
updateAccountBodySchema, validateAuthContext, and getCorsHeaders.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 705020a2-aca9-4b85-a981-28937779b6c8

📥 Commits

Reviewing files that changed from the base of the PR and between 04b0dcb and 9f28804.

⛔ Files ignored due to path filters (1)

• lib/accounts/__tests__/validateUpdateAccountRequest.test.ts is excluded by !**/*.test.*, !**/__tests__/** and included by lib/**

📒 Files selected for processing (4)

• app/api/accounts/route.ts
• lib/accounts/updateAccountHandler.ts
• lib/accounts/validateUpdateAccountBody.ts
• lib/accounts/validateUpdateAccountRequest.ts

💤 Files with no reviewable changes (1)

• lib/accounts/validateUpdateAccountBody.ts

✅ Files skipped from review due to trivial changes (1)

• lib/accounts/updateAccountHandler.ts

[cubic-dev-ai]

0 issues found across 2 files (changes from recent commits).

_{Requires human review: Modifies authentication and authorization logic for account updates and introduces a breaking change to the API request schema for the 'knowledges' field.}

[sweetmantech]

Preview Deployment Testing Results

Preview URL: recoup-api-git-codex-migrate-account-acb222-recoupable-ad724970.vercel.app

PATCH /api/accounts

Test	Result
Without accountId in body (derives from auth)	200 - update applied
With accountId override	200 - update applied to target account
No updatable fields (empty body)	400 - "At least one field to update must be provided"
Only accountId, no updatable fields	400 - "At least one field to update must be provided"
No auth headers	401 - "Exactly one of x-api-key or Authorization must be provided"

Fixes applied

• accountId is now optional in body (derived from auth by default)
• Requests with no updatable fields are rejected with 400